Environment Variables
Owner: Engineering Last reviewed: 2026-Q2
This page catalogs environment variables used by the repo. Values belong in local .env files, Azure DevOps variable groups, or Key Vault. Do not commit real secrets.
Backend
| Variable | Required | Purpose | Secret |
|---|---|---|---|
AZURE_OPENAI_ENDPOINT | Yes for chat features | Azure OpenAI endpoint for chat/action-point generation | No |
AZURE_OPENAI_API_KEY | Yes for chat features | Azure OpenAI API key | Yes |
AZURE_OPENAI_API_VERSION | Yes for chat features | Azure OpenAI API version | No |
AZURE_OPENAI_DEPLOYMENT | Yes for chat features | Azure OpenAI deployment name | No |
AZURE_OPENAI_MODELNAME | Optional/config | Model name metadata | No |
AZURE_OPENAI_EMBEDDINGS_ENDPOINT | Yes for embeddings | Azure OpenAI embeddings endpoint | No |
AZURE_OPENAI_EMBEDDINGS_MODELNAME | Yes for embeddings | Embeddings deployment/model name | No |
AZURE_COMPUTER_VISION_ENDPOINT | Yes for OCR | Azure Computer Vision endpoint | No |
AZURE_COMPUTER_VISION_KEY | Yes for OCR | Azure Computer Vision key | Yes |
AZURE_DOCUMENT_INTELLIGENCE_ENDPOINT | Yes for document analysis | Azure Document Intelligence endpoint | No |
AZURE_DOCUMENT_INTELLIGENCE_KEY | Yes for document analysis | Azure Document Intelligence key | Yes |
MICROSOFT_CLIENT_ID | Yes for Azure SP flows | Azure service principal client ID | Sensitive |
MICROSOFT_TENANT_ID | Yes for Azure SP flows | Azure tenant ID | Sensitive |
MICROSOFT_CLIENT_SECRET | Yes for Azure SP flows | Azure service principal secret | Yes |
STORAGE_ACCOUNT_NAME | Yes for storage | Azure Storage account name | No |
STORAGE_CONTAINER_NAME | Yes for storage | Azure Storage container name | No |
DB_URL | Yes | Database host/URL | Sensitive |
DB_USER | Yes | Database username | Sensitive |
DB_PASSWORD | Yes | Database password | Yes |
DB_NAME | Yes | Database name | No |
API_ENDPOINT | Environment-dependent | Public API endpoint metadata | No |
CLERK_FRONTEND_API | Yes | Clerk issuer/JWKS base URL | No |
CLERK_SECRET_KEY | Yes for Clerk server calls | Clerk backend secret | Yes |
CLERK_AUTHORIZED_PARTIES | Recommended | Comma-separated allowed azp values | No |
ENVIRONMENT | Recommended | Controls CORS/security behavior: development, staging, production | No |
Frontend
| Variable | Required | Purpose | Secret |
|---|---|---|---|
VITE_APP_API_URL | Yes | Backend API base URL | No |
VITE_CLERK_PUBLISHABLE_KEY | Yes | Clerk browser publishable key | No |
VITE_CLERK_BILLING_PLAN_ID | If billing UI enabled | Clerk plan ID | No |
VITE_CLERK_BILLING_PLAN_PERIOD | If billing UI enabled | Billing period used by UI | No |
Vite exposes VITE_* variables to the browser. Never put secrets in frontend environment variables.
Environment Sources
- Local backend: copy
backend/py/env.exampleto the local.envused bybackend/py/main.py. - Local frontend: copy
frontend/env.exampletofrontend/.env. - Azure DevOps: variable groups are selected by branch:
dev,showcase,prod. - Production-grade secrets should live in Key Vault or protected variable groups.
Change Process
- Adding a required env var must update this page, the relevant
env.example, pipeline variable group, and deployment notes. - Removing or renaming an env var requires a staged rollout when old containers may still read the previous name.
- Treat provider keys and DB credentials as rotation-capable; document rotation steps if they differ by provider.